Kibana Cross-Site Scripting (XSS) (ESA-2025-20)
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
Affected Versions:
- 7.x: All versions prior to and including 7.17.29
- 8.x: All versions from 8.0.0 up to and including 8.18.7
- 8.19.x: All versions from 8.19.0 up to and including 8.19.4
- 9.0.x: All versions from 9.0.0 up to and including 9.0.7
- 9.1.x: All versions from 9.1.0 up to and including 9.1.4
Affected Configurations:
The attacker requires the ability to upload files to Kibana, see https://www.elastic.co/docs/explore-analyze/alerts-cases/cases/manage-cases#add-case-files
Solutions and Mitigations:
Users should upgrade to the versions below or later:
- 8.18.8
- 8.19.5
- 9.0.8
- 9.1.5
For Users that Cannot Upgrade:
Self-hosted & Cloud
For versions >= 7.12 to < 9.0 user’s can set discover:searchFieldsFromSource: true
in Advanced Settings
There are no workarounds for 9.0+
Severity: CVSSv3.1: 8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVE ID: CVE-2025-25009